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Abstract —A new model of multi-party secret key agreement 
is proposed, in which one terminal called the communicator can 
transmit public messages to other terminals before all terminals 
agree on a secret key. A single-letter characterization of the 
achievable region is derived in the stationary memoryless case. 
The new model generalizes some other (old and new) models of 
key agreement. In particular, key generation with an omniscient 
helper is the special case where the communicator knows all 
sources, for which we derive a zero-rate one-shot converse for 
the secret key per bit of communication. 

I. Introduction 

A random number known only to several geographically 
distributed terminals is a resource that can be used for crypto¬ 
graphic purposes such as secure communications. Remarkably, 
the terminals can usually distill such a shared random number, 
or secret key, by communicating information about certain 
correlated random processes they observe individually, even 
though the communication is wiretapped by some eavesdrop¬ 
per. The fundamental limits on the maximal secret key rate 
can be studied using information theoretic tools [1][2][3]. 

In this paper we propose a new protocol of multi¬ 
party secret key agreement, called secret key generation 
with one communicator, as shown in Eigure 1. Terminals' 
Z,Xi,..., Xm observe general sources Z,Xi,..., Xm, re¬ 
spectively. The communicator Z is allowed to send public 
messages Wi, ..., Wm to Xi,..., Xm, before all the m -I- 1 
terminals agree on an integer K (the key). We assume that for 
each I G {1,..., m} there is an eavesdropper wiretapping the 
communication link from the communicator to Xi. Indepen¬ 
dence of K and Wi for each I G {1,..., m} ensures security. 

We derive a single-letter characterization of the achievable 
public communication rates and the key rate in the stationary 
memoryless case, which is a special case of the above formula¬ 
tion where we identify Z,Xi,..., Xm with the corresponding 
block symbols. 

Of course, other related protocols of key generation have 
been studied in the literature. The canonical one-way protocol 
(Model S with forward communication in [2]) is a special case 
of the secret key generation with one communicator protocol 
where m = 1, in which case a key rate 

i?</(U;Xi) (1) 

'Following the convention in [2], we denote the terminals by the alphabets 
of the sources they observe. 
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Eigure 1: Key generation with one communicator 

is achievable with a communication rate 

i?i >/(U;Z)-/(U;Xi) (2) 

where QzXi is the per-letter distribution of the stationary 
memoryless source and U — Z — Xi. However the m = 1 
case does not assume the full complexity and difficulty of 
the general case, as we shall see later in terms of the single 
letter region and the coding scheme. 

If no communication constraints are imposed, then the 
maximal key rate is (c.f. [4]): 

min /(Z;X;). (3) 

l<t<m 

While random binning Z^ shows the achievability of (3), it 
cannot be used for the rate constraint case, where the receivers 
do not need to be able the construct Z"; indeed a main 
difficulty with the rate constraint is to decide what common 
message should the terminals be able to agree on. 

Einally if the terminals only need to construct a com¬ 
mon random number without any secrecy guarantee (the CR 
generation problem), then the rate region is also known [5, 
Theorem 4.2] (see also [6]); a CR rate of 

R<I{U-Z) (4) 

is achievable if 

i?, >/(U;Z)-/(U;X,), V( = l,...,m (5) 








where U — Z — X™, which can be shown using an extension 
of source coding with side information [7]. In contrast, the key 
generation problem in this paper requires much more involved 
achievability construction and analysis. Specifically, we use 
superposition coding in a novel way in order to convey the 
information of the key securely to the receivers. Whereas in 
the common usage of superposition coding the lower layer 
codeword is decoded before the upper layer [8], in our con¬ 
struction the index of the upper layer codeword is transmitted 
to the receiver to facilitate the decoding of the lower layer 
codeword. Moreover, we use the recent achievability technique 
of likelihood encoding [9] in order to simplify the security 
analysis considerably. 

Particularly interesting is the special case of Z = X™, 
which we call the omniscient helper problem. In this case, 
a zero-rate one-shot converse on the secret key per bit 
of communication can be derived using hypercontractivity^, 
strengthening the best converse bound that can be obtained 
from Fano’s inequality. This new converse, derived from first 
principles, also underlines the intimate interplay between key 
agreement and hypercontractivity. 

II. Problem Setup and Main Results 

Let Qzx m be the joint distribution of sources 
Z,Xi,...,Xm- As in Figure 1, the Terminals 
observe Z, Xi,...,Xm, respectively, 
and the communicator Z computes the integers 
Wi{Z)^... ,Wra{Z) possibly stochastically and sends 
them to Xi^..., Xm, respectively. Then, the m + I parties 
calculate integers K{Z), Ki{Xi,Wi),..., K^{Xm,Wm) 
possibly stochastically. 

In the case of stationary memoryless sources and block 
coding, we substitute Z ^ Z” and X; ^ X;” for each 
I, where n is the blocklength. The measures of reliable 
communication and secrecy are defined as follows: 

e„ = max P[X X/], (6) 

l<l<m 

Vn = max {log|/C| - H{K\Wi)}. (7) 

l<Z<m 

Definition 1. The (m -I- l)-tuple (i?, i?i, ..., Rm) is said to 
be achievable if a sequence of key generation schemes can be 
designed to fulfill the following conditions: 


liminf — log |/C| > i?; (8) 

n—>-oo Tl 

limsup — log |>V/| < / = l,...,m; (9) 

n—>-oo Ti 

lim e„ = 0; (10) 

n—¥oo 

lim Vn = 0. (11) 

n—¥oo 


From the standard diagonalization argument [10], the 
achievable region is closed. Our main result is the following; 

^Indeed, the new model stems from the first author’s attempt to design 
a key agreement protocol in which the secret key per unit cost has a clean 
correspondence to hypercontractivity. 


Theorem 2. The set of achievable rates is the closure of 

( {R,Ri, ■. ■ ,Rm) ■■ R< 1 

U \ min{/(U;Z),/(USi;Xi),...,/(US„;X„)} 

Qus»”iz [ Ri ^ -^(US;; Z|Xj), \ < I < m J 

( 12 ) 

Remark 3. The region in Theorem 2 is not decreased if we 
restrict to the union over Qujz 0” =1 Qsi |uz- 

Remark 4. Previous results of Ahlswede-Csiszar [2] and 
Csiszar-Narayan [4] shown in (l)-(3) are clearly special cases 
of Theorem 2. 

A. Special Case: Omniscient Helper 

As alluded to in the Introduction, the problem reduces to 
an interesting special case when the communicator knows 
all other sources. In this situation the communicator can be 
viewed as a helper, since the requirement that it can recover 
the key is vacuous because of its omniscience; the rate region 
in Theorem 2 can also be simplified as follows, since setting 
Si = X/ in (12) is optimal. 

Theorem 5. In the special case of Z ~ X™, the set of 
achievable rates is the closure of 

( {R,Ri,... ,Rm) ■ 1 

U \ i?<min{/(U;X”^),i7(Xi),...,X(X^)}; 

Quix^ [ X, >/(U;X-)-/(U;X 0 , l<l<m j 

(13) 

The region in (13) has some special features: 

Remark 6. The region for a product source can be strictly 
larger than the Minkowski sum of its factors. Indeed even with 
unconstrained communication rates, the supremum key rate is 
as in (3), where the minimum implies that a joint encoding 
can asymptotically strictly outperform separate encoding of 
the independent components. 

Remark 1. The key rate can be positive even if X™ has 
independent coordinates. For example, when m = 2 and 
Xi _L X 2 are equiprobable binary random variables, a key 
rate of i? = 1 is achievable if the helper sends Xi" © X 2 ” to 
X 2 and, thus, the terminals agree on Xi". 

Remark 8. Comparing the CR generation region (4),(5) and 
the key generation region (13), we see that in the omniscient 
helper problem the secrecy constraint does not increase the re¬ 
quired communication rates as long as i? < mini<;<m H{Xi). 
In particular, this is unconditionally true for continuous 
sources with infinite entropy. But even when the rate regions 
coincide, the underlying achievability constructions are dif¬ 
ferent; indeed the coding schemes for CR generation in ([5, 
Theorem 4.2] and [6]) do not provide security. The reason why 
secrecy can be gained with no extra cost for small R is that 
the helper shares sufficient secure randomness (the sources) 
with the other terminals to protect its messages. 



III. One-Shot Achievability via Likelihood 
Encoder 

We outline the derivation of a one-shot achievability bound 
using the recent proof technique of likelihood encoding 
[11] [9]. This method adapts to general non-discrete, non- 
i.i.d. sources and simplifies the analysis of the secrecy con¬ 
straint. Some standard notations in one-shot information the¬ 
ory, which may be found in reference [12], will be used in 
this section. 

Theorem 9. Suppose the sources have joint distribution 
Qzx”'. Fix an arbitrary Qu\z> QsiU\z, I < I < m, integers 
Iq, ..., Im and Ji , Jra. Then there exists a key generation 
scheme with |/C| = /q, |Wi| = which guarantees 

that 

¥[K^Ki]<2m{t + T + Ti), (14) 

\og\lC\-H{K\Wi) 

< inf 

0<(5<(/J/)2 exp( —1) 

(15) 

for each 1 < I < m, where we have defined 

m 

1=0 

T.= int{pfe,(C/;Z)>7l + 5^}, (17) 

Ti := mf Z\U) > 7] + - d^) 

e := max inf ([/S';; X;) < log(Jo - 1)-f 7] 

l<Z<m 7GIR 

-fexp(- 7 )}. (19) 

Proof Sketch: 

• Codebook construction: for each I = 1,..., m define the 
set 


1 


4m(2T + Ti + 26) log 




h h}. (20) 

Construct a codebook u{io, ii,..., im), ii G Ti, 0 < I < 
m, where each codeword is generated i.i.d. according to 
Qij. Let X := Xq X Ii X ■ ■ ■ X Xm and / = \X\. For each 
i GX and 1 < ( < m, independently generate a codebook 

( 21 ) 

where each codeword is generated i.i.d. according to 

Q Si\U=u(i)' 

• Encoding: define pv as the equiprobable distribution on 
X, and 

( 22 ) 
(23) 


Moreover for each I, let be the equiprobable distri¬ 
bution on Ji, and define 

^z\wi=jV=i •“ *3z|Si=si(Li)tt=«(7)’''^*’-l'’ 

’fkv '■= ( 25 ) 

Then the encoder is a stochastic map 

m 

'^vw^\z '■= 

1=1 

that maps the observation z G Z to v GX and w™ G J™'. 
In other words, we first find v using a likelihood encoder 
with the likelihood function Pz=z\v and then find wi 
using a likelihood encoder with the likelihood function 
Pz'Lz\WiV=v- Suppose V = {vo,vi, ...,Vm) where vi G 
Xi, 0 < I < m. We identify k = vq and wi = {'Wi,v{) as 
the key for the communicator and the public messages. 
Note that the second components of wi have a nested 
(aligned) structure, which is important for maximizing 
the key rate. 

• Error analysis: The main idea is to use the soft covering 
lemma (c.f. [11, Theorem VII.l] or [13]) iteratively 

to show that the true distribution is close to 

P in total variation (expected over the codebook). 

By construction Wi and V are independent under 
implying that the individual message and the key are also 
nearly independent under tt. Moreover, the decoding error 
probability of the receivers under can be bounded 
directly by Shannon’s achievability bound [14]. 

■ 

Theorem 9 immediately implies the achievability part 
of the region (12) in the i.i.d. case: assume without loss 
of generality that the sources are ordered in such a way 
that /(USi;X;) is non-increasing in 1. We then identify 
{S"^,U,Xi,X 2 ,...,X^,Z) in Theorem 9 as the block¬ 
coding counterpart (5""”, [/”, ATi",..., Z^) and let 

be exponentially converging to zero as n — 00 , and 

Ji := exp(n(/(Si;X;|U) -I- /?))), / = (27) 

Iq := exp(n(min{J(U;Z), J(USm;Xm)} - /3)); (28) 

Ii := exp(n(min{/(U;Z),/(USi_i;Xi_i)} 

-min{/(U;Z),/(USi;Xi)})), / = 2, (29) 

h := exp(n(/(U; Z) - min{/(U; Z), /(USi; Xi)})) (30) 

to show the achievability of rates 

i?:=min{J(U;Z),/(US„;X™)}-/3; (31) 

Ri := max{/(S;; Z|U),/(USi;Z|X;)} + 3/3, 1 < 1 < m 

(32) 

for /3 > 0 arbitrary. This establishes the achievability of 

( {R,Ri,... ,Rm) ■ R < 

U { min{/(U;Z),/(USi;Xi),...,/(US™;X„)} 

Qus-iz [ Pi >max{/(Si;Z|U),/(USi;Z|X;)}, W 



Pz\v=i ■— Qz\u=u{i), Vi; 
Pzv ■= Pz\vFv- 


( 33 ) 




Then the achievability of (12) follows by noting that the 
boundary of (33) can be achieved when S/ is chosen so that 
the two terms in the max are equal. 

IV. Converse 

Due to space, this section only presents the main idea for 
the converse of Theorem 2. 

A. Deterministic Encoder 

We first consider the case where K and TV™ are functions 
of Z" (but Xi are allowed to calculate their keys randomly 
from (IV/,for 1 < ^ < to). Given a key generation 
scheme, denote by K,Ki,...,Kjn the keys produced by 
and IVi, TV 2 ,..., TV^ the messages sent to 


Xi,..., Xm- Define 

Ui:={K,Z^-^y, (34) 

Su.= {Wi,xr^), l</<TO,l<t<n (35) 

and let N be equiprobable on {1,..., n} independent of all 
previously defined random variables. We identify 

U = Un, Si = Sin, V/, (36) 

which fulfills that 

(U,Si,...,S„)-Z-(Xi,...,X„). (37) 


The bounds in Theorem 2 can be verified using entropic 
manipulations and Fano’s inequality. 

B. Stochastic Encoders 

The converse for stochastic encoders cannot be obtained by 
simple modifications of the analysis in IV-A. Indeed, the bound 
in (12) no longer holds for stochastic encoders if we stick to 
the assignment of the auxiliary random variables in (34)-(36). 
An alternative approach is to view a stochastic encoder as 
a deterministic function of Z" and V, where V is a random 
number satisfying (Tfi",..., Xm^) — Z'^ — V, and then employ 
the converse for deterministic encoders. We immediately see 
that any achievable rates (i?, i?i,..., Rm) must satisfy 

R < min{/(U; ZV), /(USi; Xi),..., /(US„; X„)}; (38) 

i?, >max{/(S/;ZV|U),/(US/;ZV|X/)}, 1 </<to (39) 

for some Pustv|z- Then it is possible to show that the region 
specified by (38)-(39) is equivalent to the region specified in 
(12) upon optimization. 

V. A Zero-Rate One-Shot Converse 

In this section we derive a novel one-shot bound, using 
hypercontractivity, on the maximum ratio of the log alphabet 
sizes of the key and the messages such that the key can be 
successfully generated in the omniscient helper problem. Since 
this ratio is supremized as the key rate and the communication 
rates tend to zero, such a converse bound may also be called 
a zero-rate converse. The bound is asymptotically tight in the 
case of abundant correlated sources but limited communication 
rates, and gives a strong converse as it shows that the total 
variation between the true and the correct distributions tends 


to the maximal value under appropriate rate conditions. On the 
other hand, previous works have obtained one-shot converses 
using smooth Renyi entropy [15] or the meta-converse idea 
[16] [17], for which the asymptotic tightness are achieved in 
the other extreme of limited correlated sources but unlimited 
communications. 

An TO-tuple of random variables (2fi,..., Xm) is said to be 
(pi,... ,pm)-hypercontractive for pi G [1, 00 ), I = 1,..., to 
if 


E 








(40) 


for all bounded real-valued measurable functions // defined on 
Xi, ( = 1,..., TO. In [18], Nair showed that (40) is equivalent 
to the following inequality^ 


lit ^ 

/(C/;X™)> V-/(C/;X/) (41) 


being valid for all Pu\x^- Thus from Theorem 5 and (41), 
key generation cannot be accomplished asymptotically if 

m 

i?< V-(i7-i?/); (42) 

Pi 

while if ri,... ,rm satisfies the property that 
1 > Z/^i ^(1 - p) for all such that 

{Xi, ..., Xm) is (pi,... ,pm)-hypercontractive, then there 
exists (i?, i?i, i? 2 , ■ • ■, Rm) achievable such that ^ = ri for 
each / = 1,..., TO. 

We prove a zero-rate one-shot converse for the omni¬ 
scient helper problem. Consider the one-shot case. Suppose 
the (possibly stochastic) encoder for the public messages is 
specified by and the (possibly stochastic) decoder 

for the key is given by PK,\x,Wr L^t be the 

correct distribution under which Ki = K 2 = • • • = Km is 
equiprobably distributed on JC. Clearly, a small total variation 
— prfm| implies both uniformity of the key distribution 
and a small probability of key disagreement. 


Theorem 10. In the omniscient helper problem, if the source 
26™ is (pi,... ,pm)-hypercontractive,‘^ then 



> 1 


1 

W\ 


m 


wn 


\m\\^ 

m) 




(43) 


Remark 11. Theorem 10 only concerns the performance of 
CR generation, which will provide an obvious upper bound 
on the performance of key generation. For the omniscient 
helper problem, it turns out to be tight because the highest 
key-communication ratio is achieved with small rates (by 
convexity of the achievable region), in which regime the 


^In [18] the equivalence is demonstrated for m = 2, but the method therein 
can be easily extended to the m > 2 case. 

“^In the i.i.d. case this is equivalent to the per-letter source X*" being 
(pi,...,Pm)-hypercontractive by the tensorization property [18]. 



-1 


secrecy constraint does not require higher communication rates 
(Remark 8). 

Remark 12. Theorem 10 yields a stronger converse on the 
achievable ratio of the the log alphabet sizes of the key and 
the messages than Theorem 5, because: 

• The converse from Theorem 5 is vacuous when the rates 
are zero. In contrast. Theorem 10 is still applicable when 
the log size of the key alphabet grows sub-linearly in the 
blocklength. In fact, as long as 

m ^ 

log|/C| - V—(log|/C| -loglWiI) -oo (44) 


which is weaker than (42), Theorem 10 implies that 
I TV™ — RK m I converges to 2. 

• Even if (42) holds, the converse of Theorem 5 relying 
on Fano’s inequality does not guarantee that the error 
probability in (6) tends to 1. Moreover Theorem 5 uses 
relative entropy as the secrecy measure (7) (stronger than 
total variation), amounting to a weaker converse. 

Proof: For any k & 1C, 




- rvj 


./ = 1 


m 


/ PKi=k\XiWi=wi 

) -ID™ 1 = 1 




< 


’^^1 = 1 
m 


'y\_PKi=k\XiWi 
1=1 

'W^^^PKi=k\XiWi ^Wi 

1^1 ^ 


< / max 
I vm 

1^1 
m 


dPxr. 

APx^ 


< 


1 = 1 
m 

n 

Z=1 


- TT / {^^^PKi=k\XiWi=wiY ^Pxi 

1=1 


JXi 


max Pxi=k\XiWi=wi‘^Pxi 

Wi 


m r /* 

-Y\_y2 PK,=k\XiW,=widPxi 

1=1 I Wi '' 


where 


• (49) uses the definition of hypercontracti\ 

^ 1 niax„, PKi=k\XiWi = 


• (50) uses Pi > 1 and 
Raising both sides of (51) to the power of — 


m 

{^{Ki=k} 

.1 = 1 

m r p 

-Y\.y 2 PKi=k\XiWi=wi 

1=1 \_wi 


But the function f™ i—0™ i ^ concave function on 

[0,oo)"*, so by Jensen’s inequality, 

-1 


' ' 1^1 


/ . / PKi=k\XiWi=wi<iPxi 


T,iP~ 


(53) 


< 


n 

m 

n 


1 


VI 


^ V / It^l ^ ^ PKi^k\XiWi^wi^PXi 
wi \ \ 


T.iP~ 




E 


Lwi 


<iPxi 


T.iP~ 


TT ( \P^l \ \^iP 

L\ V 1^1 


-1 
i_ 


(54) 


(55) 


(56) 


Combining (52) and (56) we obtain 

VI 




r\{Ki=k} 


.1=1 


EiP" 


- L\ y 1^1 


(57) 


Finally we invoke the following elementary bound: 

1 , 


:|TV™ — Prp 


VI 


= E 


r\iKi=k} 


U=l 




\K\ 


VI 

E> 


\IC\ 


i-E> 


k=l U=1 


= k} 
(58)' 


= k} 


./=1 


Ei Pi 


(59) 


and the proof is finished by combining (57) and (58). 


VI. Discussion 

It remains an enticing problem for future research to find out 
whether the achievable region is changed if we further require 
that the key has to be independent of all messages, instead of 
each message individually (see (7)). Such a stronger secrecy 
constraint is relevant when a powerful eavesdropper is able to 
intercept the messages to all the receivers. Our achievability 
proof does not guarantee this stronger level of secrecy, but for 
some specific sources it is possible to use structured codes to 
align different sub-codebooks so that the achievable rates do 
not change. Furthermore, in the unlimited communication case 
the key rate is not compromised by the stronger requirement 
either; see (3). Generally, an inner bound can be obtained by 
replacing Si in (12) with S\ the proof of which involves a 
vertical structure of superposition codebooks for U, Si, ..., 
Sm, in contrast to the parallel structure of Si, ..., Sm in the 
achievability proof of Theorem 2. 

Theorem 10 also gives an asymptotically tight strong con¬ 
verse bound for the canonical one-way protocol (Model S 
with forward communication in [2]). By setting m = 2 and 




i?i = 0, the resulting model immediately gives an upper- 
bound on the performance of a CR generation model where Xi 
communicates to A 2 . This in turn bounds performance of one¬ 
way key generation model because the public communication 
can be used as part of the CR. In the end we can show that the 
TV between Pkw and the correct distribution hkw = 
tends to 2 if log |/C| — i-s^[xf.x 2 ) 1^1 where 

s*{Xi\X 2 ) is the strong data processing coefficient [18]. 
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